Pretty Advanced New Stuff from CCG Consulting

Main menu

Tag Archives: privacy

Over 200 of the largest companies in the country are proposing a new set of national privacy laws that would apply to large companies nationwide. They are pushing to have this considered by the upcoming Congress.

The coalition includes some of the largest companies in Silicon Valley like Apple and Oracle, but it doesn’t include the big three of Facebook, Google and Amazon. Among the other big businesses included the group are the largest banks like Bank of America and Wells Fargo, big carriers like AT&T and big retailers like Walmart.

As you might expect, a proposed law coming from the large corporations would be favorable to them. They are proposing the following:

Eliminate Conflicting Regulations. They want one federal set of standards. States currently have developed different standards for privacy and for issues like defining sensitive information. There are also differing standards by industry such as for medical, banking and general corporations;

Self-regulation. The group wants the government to define the requirements that must be met but don’t want specific methodologies or processes mandated. They argue that there is a history of government technical standards being obsolete before they are published;

Companies Can Determine Interface with Consumers. The big companies want to decide how much rights to give to their customers. They don’t want mandates for defining how customer data can be used or for requiring consumer consent to use data. They don’t want mandates giving consumers the right to access, change or delete their data;

National Standard for Breach Notification. They want federal, rather than differing state rules on how and when a corporation must notify customers if their data has been breached by hackers;

Put the FTC in Charge of these Issues. They want the FTC to enforce these laws rather than State Attorney Generals;

Wants the Laws to Only Apply to Large Corporations. They don’t want rigid new requirements on small businesses that don’t process much personal data.

There are several reasons big companies are pushing for legislation. There are currently different privacy standards around the country due to actions brought by various State Attorney Generals and they’d like to see one federal standard. But like most laws the primary driver behind this legislation is monetary. Corporations are seeing some huge hits to the bottom line as a result of data breaches and they hope that having national rules will provide a shield against damages – they hope that a company that is meeting federal standards would be shielded from large lawsuits after data breaches.

I look at this legislation both as a consumer and as somebody working in the small carrier industry. With my consumer hat on there are both good and bad aspects of the proposed rules. On the positive side a set of federal regulations ought to be in place for a complex issue that affects so many different industries. For example, it is hard for a corporation to know what to do about a data breach if they have to satisfy differing rules by state.

But the negatives are huge from a consumer perspective. It’s typical political obfuscation to call this a privacy law because it doesn’t provide any extra privacy for consumers. Instead it would let each corporation decide what they want to disclose to the public and how companies use consumer data. A better name for the plan might be the Data Breach Lawsuit Protections Act.

There are also pros and cons for this for small carriers. I think all of my clients would agree that we don’t need a new set of regulations and obligations for small carriers, so small carriers will favor the concept of excusing smaller companies from some aspect of regulations.

However, all ISPs are damaged if the public comes to distrust ISPs because of the behavior of the largest ISPs. Small ISPs already provide consumer privacy. I’ve never heard of a small ISP that monitors customer data, let alone one that is trying to monetize their customers’ data. Small ISPs are already affording significant privacy rights to customers compared to the practices of AT&T, Verizon or Comcast who clearly view customer data as a valuable asset to be exploited rather than something to protect. The ISP industry as a whole would benefit by having rules that foster greater customer trust.

I’m not sure, however, that many small ISPs would automatically notify customers after a data breach – it’s a hard question for every corporation to deal with. I think customers would trust us more if there were clear rules about what to do in the case of a breach. This proposed law reminds me that this is something we should already be talking about because every ISP is vulnerable to hacking. Every ISP ought to be having this conversation now to develop a policy on data breaches – and we ought to tell our customers our plans. Small ISPs shouldn’t need a law to remind us that our customers want to trust us.

Like this:

Recently Ro Khanna, a California Congressman, worked with some of the biggest thinkers in Silicon Valley to develop what he’s calling an Internet bill of Rights – the document included at the end of this blog. This Bill of Rights lays forth the ideal basic right of privacy that users most want out of the Internet.

This document is possibly the start of the process of discussing regulation for the big Internet companies – something that doesn’t exist today. Currently the Federal Trade Commission theoretically can pursue web companies that rip off the public and the Justice Department can tackle monopoly abuses – but otherwise the web companies are not regulated.

It’s becoming increasingly clear in the last few years that web companies have grown to the size where they value profits first, and any principles that were loosely followed in the early days of the Internet are long gone. There are constant headlines now declaring abuses by web companies. Recent Congressional hearings made it clear that the big companies are misusing customer data – and those hearings probably barely uncovered the tip of the iceberg.

The European Union has begun the process of trying to reel in some of the biggest abuses of the web companies. For example, web companies in Europe now have to disclose to users how they intend to use their data. In this country we’re starting to see sentiment from both Democrats and Republicans that some level of regulation is needed.

It won’t be easy to regulate the big web companies, which are now gigantic corporations. I read recently that there are now more lobbyists in DC working for web companies like Facebook and Google than work for the big telcos and ISPs. There will a major pushback against any form of regulation and it would obviously require a significant bipartisan effort over many years to create any worthwhile regulations.

My guess is that the public wants some sort of protection. Nobody wants their data released to the world through data breaches. Most people want things like their medical and financial records kept private and not peddled between big companies on the web. Almost everybody I know is uneasy with how the big web companies use our personal data.

I think this creates an opportunity for small ISPs. There are aspects of this Bill or Rights that the big ISPs will oppose. They are clearly against net neutrality. All of the big ISPs have purchased companies to help them better mine customer data – they obviously want to grab a slice of the money being made by Google and Facebook off user data. The big ISPs are likely to fight hard against regulation.

It’s virtually impossible for small ISPs to violate any of these principles. That creates an opportunity for small companies to differentiate themselves from the big ISPs. I think small ISPs need to tout that they are for net neutrality, that they value customer privacy and that they will never misuse customer data. I have a few clients that do this, but very few make this one of the key ways to differentiate themselves from the big ISPs they compete against.

I strongly recommend giving this some thought. Supporting consumer data rights can be made a key part of small ISP advertising. Some statements akin to the Internet Bill of Rights can be made prominent on web sites. These concepts should be prominent in your terms of service. These are concepts your customers will like and it shouldn’t be hard for any small ISP to embrace them.

Internet Bill of Rights

The internet age and digital revolution have changed Americans’ way of life. As our lives and the U.S. economy are more tied to the internet, it is essential to provide Americans with basic protections online.

You should have the right:

(1) to have access to and knowledge of all collection and uses of personal data by companies;

(2) to opt-in consent to the collection of personal data by any party and to the sharing of personal data with a third party;

(3) where context appropriate and with a fair process, to obtain, correct or delete personal data controlled by any company and to have those requests honored by third parties;

(4) to have personal data secured and to be notified in a timely manner when a security breach or unauthorized access of personal data is discovered;

(5) to move all personal data from one network to the next;

(6) to access and use the internet without internet service providers blocking, throttling, engaging in paid prioritization or otherwise unfairly favoring content, applications, services or devices;

(7) to internet service without the collection of data that is unnecessary for providing the requested service absent opt-in consent;

(8) to have access to multiple viable, affordable internet platforms, services and providers with clear and transparent pricing;

(9) not to be unfairly discriminated against or exploited based on your personal data; and

(10) to have an entity that collects your personal data have reasonable business practices and accountability to protect your privacy.

A few days ago I wrote that we are not likely to get any significant telecom legislation this year. That’s unfortunate because we really need a major new Act to update all of the regulatory rules concerning broadband, telephone and cable TV. That got me thinking what I might write into such an act if I was the author, so following are the highlights of the envisioned Dawson Internet Act of 2018 (it’s time we stop calling this the telecom industry):

Cable TV. It’s time to scrap all requirements that dictate cable tiers. Cable companies need to be able to offer whatever channels they think make economic sense, including offering a la carte channels, if that’s what the public wants. I’d also scrap the must-carry rules for major network stations. The retransmission costs for those channels are one of the primary culprits for rate increases and removing the requirement to carry channels will return cable companies to a position of fair bargaining for price since they could walk away from any local station that wants too much.

Telephone. Other than a few rules that govern customer privacy I’d totally scrap federal regulations for landline service. I’d eliminate the CLEC classification and deregulate traditional telephone and VoIP equally to put the products on a non-regulated level playing field. I think I would retain the historic monopoly service territories, although I’d have to give that a lot more thought.

Interconnection. I’d keep the mandate that network owners must continue to interconnect with other carriers. They can’t be allowed to shut out a competitor by refusing to give them access to the underlying backhaul networks. But since I would eliminate the CLEC status, the big network owners need to be required to interconnect with anybody who meets specified technical standards.

ETC Status. Today a company must become an Eligible Telecommunications Carrier in order to participate in Universal Service Funds or other federal funding programs. I’d eliminate this requirement because it’s nothing more than a paperwork barrier to market entry. The current rules also disallow certain types of providers, such as owners of open access networks, although customers almost universally prefer that operating model.

Broadband. The FCC needs to regulate broadband, even if they elect to regulate it lightly. Congress can mandate this and get rid of the nonsense of trying to make broadband fit under Title II and just explicitly give the FCC the authority and obligation to regulate it.

Network Neutrality. I would make network neutrality the centerpiece of broadband regulation. The most important aspect of network neutrality is prohibiting paid prioritization – because once the ISPs start doing that all of the nightmare scenarios of a broken Internet emerge.

Spectrum. I think the FCC is already on a good path to free up spectrum for broadband. But I think they are missing the boat by not providing more spectrum for public access. One only has to look at the huge economic boom created by WiFi to see that giving all spectrum to big monopolies is not the best answer. I’d also make a firmer use-it-or-lose it rule for rural spectrum. A huge amount of spectrum sits unused in rural America but is still under control of the big carriers who purchased large-area licenses. Finally, rather than turn spectrum auction proceeds over the US Treasury I’d redirect these revenues towards meeting universal service goals.

Universal Service. I’d maintain the requirement that the FCC monitor broadband connectivity and require them to try to find solutions for areas without good broadband. I’d also prohibit them from funding any broadband programs like CAF II that support technologies that are slower than the federal definition of broadband. I’d also mandate an ongoing process for defining the official speed of broadband.

Privacy. I like what I’m reading about the European Union privacy rules. They are allowing ISPs and others to monitor and track customers only with customer consent. That will allow people who care about privacy to maintain it while allowing others who choose to sacrifice privacy for services to allow tracking. The penalties for violating customer privacy must be economically severe.

Municipal Broadband. I’d eliminate all barriers to municipal competition. Local communities ought to be able to decide themselves if they want to tackle the risk of building broadband. This is particularly needed in rural America where, in many cases, the local government might be the only one willing to tackle funding a network.

Access to Poles, Ducts and Dark Fiber. I’d make these assets available to anybody that can meet technical standards to use them. I’ve still not decided how I feel about federal one-touch rules, but I’d have the FCC institute a major rulemaking to get more facts on the issues involved.

I’m sure everybody in the industry has a different list than mine. I remember all of the discussions and negotiations leading up to the Telecommunications Act. That Act took some political bravery since Congress was taking on the big telcos for the greater public good – and that Act did a fairly good job of promoting competition. But I don’t see this same courage in Washington today and most of the topics on my list are sadly not even being discussed.

Our homes are starting to get filled with Internet-enabled devices. I recently looked around my own home, and in addition to the expected devices like computers, printers, tablets and smartphones we have many other devices that can connect to the Internet. We have a smart TV, an eero WiFi network, three Amazon Echos, several fitness trackers, and a smart watch. Many homes have other Internet-connected devices like smart burglar alarms, smart thermostats, smart lighting and even smart major appliances. Kids can have smart toys and game consoles these days which have more computing power than most PCs.

Every one of these devices gathers data on us and a good argument can be made that we are all being spied on by our devices. Each device witnesses a different part of our lives, but add them all together and they paint a detailed picture of the activity in your home and of each person living there.

There are numerous examples of companies that we know are using our data:

Last year it was revealed that Roomba was selling detailed information about the layouts of homes to data brokers.

The year before we found out that Samsung smart TVs were capable of listening to conversations in our living rooms and also had backdoor connections to the Internet.

There has been an uproar about smart talking toys that not only interact with kids but also listen and essentially build profiles on them.

Smart devices like smart phones, tablets and computers come with software that is aimed at gathering data on us for marketing purposes. This software generally is baked in and can’t be easily removed. Some companies like Lenovo (and their Superfish malware) went even further and hijacked user web traffic in favor of vendors willing to pay Lenovo.

Buyers of John Deere tractors found out that while they own the tractor they don’t own the software. The company penalizes customers who try to repair their tractor by anybody other than an authorized John Deere repairperson.

Probably the most insidious result of all of this spying is that there are now data brokers who gather and sell data that can paint a detailed profile of us. These data profiles are then used to market directly to us or are sold to politicians who can target those most sympathetic to their message. It’s also been reported that smart criminals are using this data to choose victims for their crimes.

I’m sure by now that everybody has searched for something on the web, and then noticed that for the next few weeks they are plastered with ads trying to sell them the subject of their search. This happened to me a few years ago when I was looking at new pick-up trucks on the web. But today this goes a lot farther and people complain about getting medical ads after they have searched the web about an illness.

To make matters worse, we have a government regulatory policy in this country that benefits the corporations that are spying on us. Last year Congress passed privacy rules that let ISPs and anybody else gathering raw digital data off the hook. There are essentially no real privacy rules today. Data privacy is now under the purview of the Federal Trade Commission. They might intervene in a particularly egregious case of invasion of privacy, but their rules are not proactive and only can be used to find companies that have already broken the rules. Unless fines grow to be gargantuan it’s unlikely that the FTC will change much of the worst practices using our data.

The European Union is in the process of enacting rules that will clamp down on data gathering. Their rules that go into effect in a few months will require that customers buy-in to being monitored. That is great in concept, but my guess that it’s going to take a decade of significant fines to get the attention of those companies that gather our data. Unless the fines are larger than the gains from spying on people then companies will continue to monitor us, and they will just work harder to hide evidence of spying from the government.

I think there are very few of us who don’t believe our data should belong solely to us. Nobody really wants outsiders knowing about their web searches. Nobody wants unknown companies tracking their movement inside their homes, their purchases and even their conversations. But for now, the companies that are gathering and using our data have the upper hand and are largely free do nearly anything they want with our data.

Like this:

It’s worth keeping an eye on the new European privacy standards that go into effect in May. Titled the General Data Protection Regulation (GDPR), the new rules provide significant privacy protection for European Union citizens. The new rules are required for all companies doing business in the EU, so that means it applies to the majority of web companies operating in the US. The GDPR rules also apply to brick and mortar companies that collect customer data like banks and doctors. The privacy rules apply to companies that collect data directly from customers (data controllers) as well as any secondary companies that process that data (data processors). Interestingly, under the new rules a data controller is responsible to know what data processors do with the data they provide to them.

The major basis for the new rules are that consumers own and have control of their own data and companies can only use data if there is at least one lawful basis for doing do. This includes:

A consumer gives specific permission to use personal data for one or more specific purposes;

Processing the data is necessary to meet a contractual arrangement with a consumer;

Processing the data is necessary to meet a legal obligation which applies to the consumer;

Processing is necessary to protect the vital interests of the consumer or some other natural person;

Processing is allowed for the performance of a task carried out in the public interest, such as by the government;

Processing is necessary to pursue legitimate interests of the data controller or a third party.

For the most part the new laws require consumers to give explicit consent to use their data, including the specific purpose for the use. Just like in the US, there are provisions for law enforcement to gain access to customer data through subpoena or court order.

Larger companies are expected to create the position of Data Protection Officer who is tasked to make sure that all parts of a company are compliant with the law. As you might expect, meeting these requirements is a major change for many companies and there has been a two-year transition period leading up to the May implementation.

The new law also changes the way that companies store customer data to minimize the impact of data breaches. For example, companies are encouraged to store data in such a way that the stored data cannot be attributed to a specific person without the use of additional data. The law calls this pseudonymisation which means encrypting stored data and storing it in a manner to make it hard for an outsider to use. For example, a company would not store things like a social security number, date of birth, address and email address all in the same record.

The law has teeth and allows for fines up to 4% of the worldwide revenues of a business for massive violations of the rules. The expectation is that there will probably have to be a few serious fines levied to get most companies to get serious about following the new rules.

Overall this law creates a drastic change in the handling of customer data. Companies will not be allowed to mine and sell customer data without specific customer approval. It seems to particularly discourage the practice of selling data to brokers who can then use the data in any manner they choose. In this country companies like Google and Facebook make huge revenues from data mining and the big ISPs are now leaping into this same business line. In Europe this is going to greatly restrict the value of selling customer data.

This new law is worth following since the big web companies that are so predominant in this country are going to be complying with the new rules. This means it would be relatively easy at some point to require similar rules here concerning customer data.

The GDPR data storage rules also have the purpose of limiting the value of data breaches. If we see a great reduction in damaging hacking in the EU because of this law, then companies here might begin following the EU recommended data storage methods even if the privacy rules are never implemented here. Some of the most damaging hacks we’ve seen here are when a hacker gets records that provide multiple data points for a given customer. If a hacker can’t use the data to put together a coherent picture of a given customer then the value of a breach is greatly reduced.

Like this:

Protecting customer data has been in the news a lot recently and today I’m going to discuss two different news stories concerning the privacy of customer data.

The first story involves a case that will be decided soon by the U.S. Supreme Court. The case, Carpenter vs. United States, is contemplating the rules of how the government can access historical cellphone call records (and one assumes all other telecom records for calls and emails).

Without discussing all of the details of the case, the short version is that police had asked MetroPCS for the complete cellphone records of sixteen people suspected of robbing cellphone stores. MetroPCS supplied the details of all of the calls to and from each suspected cellphone as well as information about the location of the cell sites servicing each phone during the duration of the calls. The legal question being asked is if this represented a warrantless search and specifically as asked by government attorneys, “Whether the government’s acquisition, pursuant to a court order issued under 18 U.S.C. 2703(d), of historical cell-site records created and maintained by a cellular-service provider violates the Fourth Amendment rights of the individual customer to whom the records pertain.”

Recently fourteen companies including Google, Apple, Facebook, and Microsoft filed an amicus brief in the case that argues that the government is relying on outdated privacy laws from the 1970s that allow for the government to ask for telephone records without a warrant. Interestingly, Verizon joined in this argument.

Most small carriers are aware of this issue by the fact that local police often ask them for call records without a warrant. I can’t recall a time when a telco hasn’t responded to such requests, but I’ve talked to many companies who are often uncomfortable with the process. The fourteen companies get similar requests for call records but also for email records, web search results and other kinds of customer information. They argue that such requests should only be made with a warrant that reflects some level of probable cause. Court experts are calling this the biggest Fourth Amendment case in years because it’s going to consider the issues involved with the search for digital records.

The second news story is a different take on privacy. The Electronic Privacy Information Center (EPIC) has asked the Federal Trade Commission (FTC) to investigate how Google tracks customers. Specifically they say that Google analyzes credit card data to understand the in-store shopping habits of customers. They then sell this data to retailers. EPIC is asking the FTC to investigate the actual practices being deployed as well as to provide some sort of mechanism for people to opt out of this kind of tracking program.

If the FCC takes up this investigation it could also be groundbreaking. This case is the first specific case that asks the government to create some boundaries for such tracking and to allow people to opt out of being tracked.

There are many other companies other than Google who are now using ‘big data’ to compile detailed profiles of people. These profiles are being marketed to vendors of products and services, but there is a great fear among privacy advocates that these same profiles can be used for nefarious purposes by governments and others. For instance, scam artists would probably love to know the identity of every household in the country that has somebody suffering from early-stage dementia.

Anybody that is getting involved in selling smart home products needs to be concerned about these issues. Recently researchers Ming Jin, Ruoxi Jia and Costas Spanos of the University of California at Berkeley examined some routine data collected by smart electric meters and were surprised at how much they were able to figure out about the occupants of a home using the data. For example, they were able to understand the patterns of when homes were occupied and unoccupied and were fairly easily able to tell when a given residence was unoccupied.

As we get more smart devices in homes the combination of the data collected by the various devices will be able to paint a detailed picture of the occupants of a home. This case could be the first step towards defining customer rights for control of their personal data.

Like this:

The press has been full of discussion over the last month with numerous articles about Internet privacy. Recent moves by the FCC and Congress have opened the doors for ISPs to track and monetize customer data.

But there is another, possibly bigger source of data that nobody is talking about. I ask the question today about who owns data from the Internet of Things? Our homes are starting to fill up with devices that have the ability to monitor our behavior in numerous ways. Currently there are no specific laws governing the collection and use of this data.

For example, there are now many kinds of devices that listen to conversations in our homes – the one thing that most people probably consider as private and personal. A few years ago we learned that Samsung TVs were capable of hearing all conversations in the room. It was reported at Christmas time that there are now dolls that listen to everything said and send the conversations to the cloud. Millions have invited talking personal assistants into their homes and business in the form of Amazon Echo or the numerous other devices hitting the markets. And many more millions now use Apple’s Siri when driving their cars. And those are just the devices that listen to us today. It’s expected that within the next few years that many electronic devices will be voice activated and monitored in the cloud.

But there are numerous other kinds of devices that can spy on us. Security systems can track every movement of people within a home, and scientists say that understanding people’s movements says a lot about them – including things we might not even understand. When motion sensors get coupled with video cameras the security concerns get even scarier.

But monitoring our IoT can be even simpler than that and seem somewhat innocuous. Numerous manufacturers of appliances plan to include IoT monitoring capability so that they can understand how we use their products. You wouldn’t think that there is much to be worried about if your new blender tells the factory exactly how and when you use it. But if these companies decide to monetize the data they are collecting they could sell it to somebody that collects and collates data from all of our devices – and that aggregator could paint an incredibly detailed picture of our lives.

All of these devices will report back to the cloud using either WiFi or cellular connections, and that means the IoT data will always flow through an ISP on the way to the cloud. One would hope that much of this data will be encrypted, but if not then our ISPs might be the ones using big data analytics to paint a detailed picture of each of us.

From a legal perspective there is no clear answer about who owns this kind of data. Data from IoT devices are not specifically covered under current intellectual property laws. And that’s what makes this all murky. We provide personal data to outsiders in different ways, which might eventually make a legal difference. For example, any time we voluntarily give somebody access to data then they gain a right to use it. We all do this all of the time when we sign up for social media platforms or smartphone apps.

But the situation is probably different when we didn’t specifically grant any approval to use our data. I don’t expect that I am going to be required to sign a terms of service to use a new TV, a smart washer or a blender. In that case there can be a stronger argument made that such data belongs to the customer unless they grant specific approval to use it.

Things get even messier when we start looking at metadata. This is composite data that combines data from multiple people into a jumbled pile. But burying personal data inside metadata does not mean that people can’t be identified from the pile of data – it just means that it’s a bit harder to do.

At some point this is going to have to be addressed legally. Right now, without specific laws controlling this kind of data it’s a no man’s land. It’s hard to think that a court today would know what to do with a complaint that a vendor somehow violated us by using our data.

Like this:

This Christmas season brings not only the usual joy and cheer, but also new challenges and privacy threats, which seem to be the nature of technology these days. It seems even Santa isn’t immune to gifting technology which invades our homes with toys that gather secret information about us.

It turns out that the My Friend Cayla doll and the i-Que Intelligent Robot have the ability to spy on everything that kids (or anybody else) says within listening range of the toy. There have been a few other toys in the past that were capable of conversing with kids. Last year’s Hello Barbie chatbox also had this capability. But the big difference is that the Hello Barbie only recorded speech when a button was pressed while these new toys are always listening.

This phenomenon is not limited to toys and there are other devices today that listen to us all of the time such as Siri-enabled iOS devices, OK Google-enabled phones or the Amazon Echo with Alexa. It seems like 2016 was the year when technology began to actively listen to us, even though the concept has been around a bit longer. In 2015 there was a furor when it was revealed that Samsung TVs could both watch and listen to whatever was happening in the room with them. But now the market is seeing a lot of devices with this capability and one can imagine this is going to soon be included in a lot of new devices.

There have always been concerns that future IoT devices would enable tech companies to spy on us. The example given in the past was that motion detectors and cameras that are part of a security system could log all movements inside a home and provide a lot of detail about how various family members move during the day.

But this new technology leaps beyond that scenario to devices that actively listen and record everything we say. One would have to think this new technology is going to be built into most future smart devices as we quickly move towards a world where we talk to our house and the devices in it. All of these technologies work today by using voice recognition software in the cloud that convert everything it hears into text. From there the software in the cloud reads the text to determine if anything said warrants a response.

I’m sure that the average person hasn’t considered what this new technology means, and perhaps having this technology show up in toys will begin the conversation. The potential for abuse from this technology is almost unimaginable. One can envision family members spying upon each other. It’s not a hard stretch to foresee a repressive government listening to everything we say looking for ‘bad’ thoughts like was predicted in Fahrenheit 451 and 1984. It’s also not a hard stretch to see transcripts of what is said in a home end up on the dark web for sale so that anybody can buy our private conversations for a price. And in the business world it’s not hard to envision hacking into office devices as the ultimate form of corporate espionage – to catch those things that are said but are not put into writing.

Probably the worst thing about this technology appearing in toys is that it was put in half-baked with no real thought about security. The Electronic Privacy Information Center (EPIC) has brought a complaint about these toys to the Federal Trade Commission and asked that they be recalled, and that no future toys be allowed with the technology until there are some basic safety requirements defined for the industry. For example, EPIC showed that these toys can be easily hacked and that hackers are able to both listen to everything said within 50 feet of one of the toys, but worse, they are able to hold a conversation with kids through the toy. This opens up the scary scenario of child molesters talking directly to kids through the guise of a supposedly “safe” toy.

The company behind the technology in the toys is Nuance. Their response to the issue is not assuring. They said that they do not sell the recorded voice data to anybody. But there is no law to stop the company from changing this policy at any time. And in today’s world there can be no guarantee that the company won’t be hacked and piles of our conversations stolen by nefarious people.

This is a new technology and now is the time to craft some laws about its use. Today there are only a handful of companies deploying the technology. But now that Amazon and Google are making their AI functions available to others as a cloud-service, this technology will soon be built into huge range of devices. I know it sounds cool to change the settings on your washing machine by telling it how to wash the next load, but is it worth it if your washing machine also sends a recording of everything it hears everything to the cloud?

So we enter this Christmas season with another new technological worry. For the first time it might really be true that Santa is actually listening and he really will know if you’ve beene naughty or nice.

The FCC is considering new privacy rules for ISPs. The FCC is considering treating ISPs in the same way they have historically treated telcos. Telco customers have had the ability for years to opt out of having the telephone company use their data for other purposes. Most people don’t even remember this, but when you bought your last landline the telco was supposed to ask you if they can use your contact info for marketing their own products or if they can sell your information to outside companies.

But a telco doesn’t know much about you other than your phone number and who you call. Telcos have never really ‘mined’ telephone calling data and that was what made Edward Snowden’s revelations about the NSA so startling. The NSA demonstrated the ability to draw conclusions about people according to who they call.

But the data that an ISP collects from you as a customer can tell them almost everything about you. They know everything you do on the web – your social network connections, what you search for and buy online, and what you write in every email or messaging system. And – if they wanted to – your ISP could know truly private things about you, such as what illnesses you might have, if you are happy or unhappy in your relationships, or if you do anything that would embarrass you (like looking at pornography).

So the FCC wants to give customers the right to tell their ISP to not examine or use their personal data. Under the FCC’s proposed rules customers can opt out of ISP surveillance completely, or can allow their ISP to use their data in some less intrusive manner, yet to be defined.

It’s an interesting concept, because your ISP is the only entity online that knows everything about you. One would certainly hope that any such rules would apply equally to cellphone ISPs in the same manner as wireline ISPs.

These kind of privacy rules would certainly put the brakes on the money that ISPs can make from mining data about their customers. We recently saw AT&T introduce the idea of charging more to customers to avoid deep data mining – making the default condition one of being monitored.

But the FCC is not going to put these same restrictions on what they call edge providers – meaning every service on the web. Facebook or Google would be free to use whatever they know about you, with the reasoning being that people use these services voluntarily.

There is another big privacy issue looming in the near future – and that’s the surveillance that is coming from the Internet of Things. There is an amazing amount of data that can be gleaned from monitors in our home. Health monitors are going to record details about you that you don’t even know about yourself. Various monitors around the home in the form of smart locks, smart cars, motion detectors, sleep monitors, etc. are going to monitor details about you (and the other people in your home) and how you live. Those details can then be sold to data companies that will combine data from multiple sources to paint a detailed picture of what you do and when you do it. Supposedly this will be done in order to personalize advertising for you, but it’s hard to believe that companies won’t take this a lot further and use this data in unsavory ways.

Already today there are data depositories buying raw data from a number of web sources that can paint a pretty good picture of who you are. Even without the ISPs being part of the data-gathering chain it’s likely that privacy is going to become largely a thing of the past.

There are a lot of people that don’t want to be watched so closely and I think we are going to see a new industry that strives to protect you from detailed monitoring. But when I see how extensive the data collection already is today, I fear that really removing yourself from data surveillance is going to be expensive and not available to most people.

I suspect my feelings towards privacy are typical. It makes me uneasy to have companies monitoring me and I find personalized advertising to be creepy. But as our world comes to rely more and more on devices that make our lives easier, it’s not hard to see that our current feelings about privacy are probably going to become quaint anachronisms of the past.

Like this:

You have to give credit to the big ISPs – they are always looking for more ways to get money out of broadband and their other products. The latest innovative attempt comes from Comcast who told the FCC last week that they think they have the right to charge customers an extra fee for privacy. Comcast didn’t say that they were ready to launch this as a product, but was responding to an open investigation at the FCC over privacy.

You may recall that when AT&T announced gigabit service in Austin they charged $30 extra per month for privacy. That fee stops a user from undergoing AT&T’s ‘Internet Preferences’ – a deep-packet inspection process that tracks everything the customer does on the web.

Comcast says they have the right to charge extra for privacy and claimed that, “A bargained-for exchange of information for service is a perfectly acceptable and widely used model throughout the U.S. economy, including the Internet ecosystem, and is consistent with decades of legal precedent and policy goals related to consumer protection and privacy,”

They basically claim that other companies already charge a premium fee to customers to avoid things they don’t like. There are numerous video and music services, for example, that charge extra to avoid advertising.

But an ISP is in a different situation. These other services provide something voluntary and customers are free to buy a video service like Hulu with or without ads or not buy Hulu at all. And Hulu can only know what a customer watches and does on their site and nowhere else on the web.

But it’s mandatory to go through an ISP to reach the web and your ISP can know every keystroke you make on the web, every site you visit, everything you tell people in emails or messaging. Comcast argues that customers are free to go to another ISP if they don’t like the company’s policies. But realistically, in most markets there are no alternatives. I know my only alternative to my 100 Mbps Comcast cable modem is a DSL connection under 20 Mbps from CenturyLink, which is not fast enough for me. And if Comcast and AT&T start making money with deep packet inspections, I have a hard time thinking that CenturyLink and other ISPs won’t do the same thing.

Customers can control their privacy to a degree on the web if that’s important to them. Many people only connect to web services like Google through a proxy server that strips out their IP address and location. And there are alternatives to using the Google search engine such as DuckDuckGo or Ixquick that don’t track people. And nobody makes you create an identity on social media sites.

But you have to put the Comcast filing at the FCC into context. The FCC has proposed that everybody has the right to privacy and that the default state for privacy should be that customers are not tracked. The FCC wants customers to opt-in to tracking, and certainly many people will elect to do that. There are plenty of people that like customized advertising and the other features that come from companies that track them. But there are plenty of people who do not want to be tracked in most cases, and almost nobody wants their ISPs to read their emails or correspondence with their doctors.

The big companies are sometimes their worse enemies because they do things without notifying their customers. Late last year, for example, Verizon admitted to using stealth cookies that could continue to track their wireless customers when they left the wireless ISP network.

This is going to be an interesting battle at the FCC and perhaps this will be the first real challenge of the new regulation under Title II rules. The FCC wants to now impose the same rules on the ISPs that have applied to years for telephone companies and voice – and which are allowed under the umbrella of Title II regulation. My bet on this issue is the FCC will prevail, but you know the big ISPs are never going to stop pushing the envelope.